9 comments

[ 5.1 ms ] story [ 29.2 ms ] thread
> Wilcox said he considered this avenue, but the university’s ethics board stepped in and prohibited him from publicly releasing the code; since the public release of exploits is a university ethics violation and could have put Wilcox’s degree in jeopardy.

Right, I think that university's ethics board should rapidly dismantle themselves, if they aren't even capable of understanding their mandate.

Suppressing this data is an ethical issue, not doing the research and releasing it in the first place.

Sadly like most governance bodies they think the rules are more important than the outcomes. This is a clear case of the rules causing a bad outcome rather than preventing it.
This story has surfaced a few times now via various publications. I think the assertion that Wassenaar is the issue here is highly flawed.

First, since this student is operating in the UK and, as far as I can tell, is a UK citizen, the proposed US Wassenaar implementation and FAQs have no bearing on him. Instead, I belive he is just bound by the EU implmention of Wassenaar, which unlike the proposed US rules, more-or-less mirrors the original 2013 text exactly: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX.... So any discussion related to what BIS is planning to do is irrelevant to this case. And even if he were a US-based US citizen, it would still be irrelevant since the US rules are still in the proposed stage and aren't even in effect yet.

Second, Wassenaar explicitly exempts anything "in the public domain", as well as all mass-market software, from control under the General Software Note. This is generally interpreted to include any open source code or even publically-available object code, as well as academic research publications.

Finally, the Wassenaar control mechanism for the Class 4 items operates as a secondary control. First it defines "Intrusion software" as:

"Software" specially designed or modified to avoid detection by 'monitoring tools', or to defeat 'protective countermeasures', of a computer or network-capable device, and performing any of the following: the extraction of data or information, from a computer or network-capable device, or the modification of system or user data; or the modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.

But it does not attempt to control "Intrusion Software" directly. Instead it goes on to control:

4.A.5: Systems, equipment, and components therefor, specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software". 4.D.4: "Software" specially designed or modified for the generation, operation or delivery of, or communication with, "intrusion software". 4.E.1.c: "Technology" for the "development" of "intrusion software".

So individual exploits such as the ones discussed here are not even controlled. Only software designed for the operation, delivery, or control of systems compromised or targeted by such exploits (e.g. think Metasploit, ignoring the open-source and mass-market exemption that likely apply to it).

So it seems like a reach to assert that Wassenaar would control the discussed research, and even if it did, the research could still be published and/or released to the general public without infringing Wassenaar under the General Software Note exemptions.

The issue here seems much more about an Ethics Boards that has little understanding of the ethics of best-practice coordinated disclosure or basic academic freedoms. Wassenaar and the proposed US implementation has many issues, but this doesn't seem to be one of them.

Too bad this wasn't in the US so that it could be tested under the 4th amendment, which actually have some teeth. Unfortunately this happened in the UK, so I guess he is SOL.
You mean the 1st Amendment.
Unfortunately, currently the only amendment which seems to have any teeth is the second. After all, you shouldn't bring teeth to a gunfight.
(comment deleted)
I have no idea what this is supposed to have to do with the thread.
The first is rather well protected. They tried to ban animal snuff videos for example and it was overturned. Hate speech is protected as well, whereas it is prohibited in most (all?) European countries.